Skip to Content

How to Consume On-premise OData Service via Cloud Connector from HCP with Principal Propagation

Dec 22, 2016 at 10:37 AM


avatar image

Hi Experts,

I have the arch scenario as below:

1.Deploy Java App on Hana Cloud Platform,runtime is Java Tomcat 7, then configure Destination to on-premise OData service.

2.Configure Access control in Cloud Connector to expose the resource.

3.Access Java app to access backend system and retrieve data.

But I encounter some issue on the destination service.

----Case 1:

configure destination as Basic Authentication.

then when I build HTTP request to backend service, I add following codes:

String credentials = destConfiguration.getProperty("User") + ":" + destConfiguration.getProperty("Password");

String cred_encode = Base64.encodeBase64String(credentials.getBytes()); connection.setRequestProperty("Authorization", "Basic " + cred_encode);

In a word, need to fill Authorization field as "Basic 6HIJ3i8er" into HTTP header, then I can make a successful aceess to backend resource.

----Case 2:

However, now I want to configure destination as Principal Propagation.

Then when I build HTTP request , what content should I fill into HTTP request header? If I did nothing, there is error shown as " to generate authorization token".

Thanks in advance for your help.


capture.jpg (31.0 kB)
capture.jpg (29.5 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Kai-Fabius Pribyl Oct 26, 2017 at 12:14 PM

Hi Alex,

did you find a solution? I have the same issue right know, I'm wondering what to put into the HTTP request header. I'm getting a http 401 response (Unauthorized) which makes sense if I leave it blank. I'm working with DestinationConfiguration within a Tomcat 8 runtime.

My Cloud Connector should create a X.509 user Certificate. Am I supposed to use the AuthenticationHeaderProvider and put my SAML2.0 session into the authorization field? It doesn't seem to work that way.


Show 1 Share
10 |10000 characters needed characters left characters exceeded

I just figured out myself:

The header field "SAP-Connectivity-Authentication" with "PrincipalPropagation <PrincipalPropagationToken>" is needed, which you can easily get with the getPrincipalPropagationHeader method of an AuthenticationHeaderProvider.

When using the servlet shown here:

just add


to the web.xml and the following to your java servlet:

AuthenticationHeaderProvider authHeadProv = (AuthenticationHeaderProvider) ctx.lookup("java:comp/env/myAuthHeaderProvider");
AuthenticationHeader ppHeader = authHeadProv.getPrincipalPropagationHeader();
urlConnection.setRequestProperty(ppHeader.getName(),  ppHeader.getValue());

The AuthenticationHeaderProvider API is also worth reading.